hf_text-generation-inference/.github/workflows/build.yaml

name: Build and push docker image to internal registry

on:
  workflow_dispatch:
  push:
    branches:
      - 'main'
    tags:
      - 'v*'
  pull_request:
    paths:
      - ".github/workflows/build.yaml"
      - "server/**"
      - "proto/**"
      - "router/**"
      - "launcher/**"
      - "Cargo.lock"
      - "rust-toolchain.toml"
      - "Dockerfile"
    branches:
      - 'main'

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  build-and-push-image:
    runs-on: large-runner
    permissions:
      contents: write
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Initialize Docker Buildx
        uses: docker/setup-buildx-action@v2.0.0
        with:
          install: true
      - name: Inject slug/short variables
        uses: rlespinasse/github-slug-action@v4.4.1
      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
        with:
          cosign-release: 'v1.13.1'
      - name: Tailscale
        uses: tailscale/github-action@v1
        with:
          authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
      - name: Login to GitHub Container Registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to internal Container Registry
        uses: docker/login-action@v2.1.0
        with:
          username: ${{ secrets.TAILSCALE_DOCKER_USERNAME }}
          password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }}
          registry: registry.internal.huggingface.tech
      - name: Login to Azure Container Registry
#        if: github.event_name != 'pull_request'
        uses: docker/login-action@v2.1.0
        with:
          username: ${{ secrets.AZURE_DOCKER_USERNAME }}
          password: ${{ secrets.AZURE_DOCKER_PASSWORD }}
          registry: db4c2190dd824d1f950f5d1555fbadf0.azurecr.io
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v4.3.0
        with:
          flavor: |
            latest=auto
          images: |
            registry.internal.huggingface.tech/api-inference/community/text-generation-inference
            ghcr.io/huggingface/text-generation-inference
            db4c2190dd824d1f950f5d1555fbadf0.azurecr.io/text-generation-inference
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
            type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v4
        with:
          context: .
          file: Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          platforms: 'linux/amd64'
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max
          cache-to: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max
      # Sign the resulting Docker image digest except on PRs.
      # This will only write to the public Rekor transparency log when the Docker
      # repository is public to avoid leaking data.
      - name: Sign the published Docker image
        if: ${{ github.event_name != 'pull_request' }}
        env:
          COSIGN_EXPERIMENTAL: "true"
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
        uses: aquasecurity/trivy-action@master
        if: ${{ github.event_name != 'pull_request' }}
        with:
          image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}'
          format: 'github'
          output: 'dependency-results.sbom.json'
          github-pat: ${{ secrets.GITHUB_TOKEN }}
          scanners: 'vuln'
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: ${{ github.event_name != 'pull_request' }}
        with:
          image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL'
          scanners: 'vuln'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: ${{ github.event_name != 'pull_request' }}
        with:
          sarif_file: 'trivy-results.sarif'

  build-and-push-sagemaker-image:
    needs:
      - build-and-push-image
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Initialize Docker Buildx
        uses: docker/setup-buildx-action@v2.0.0
        with:
          install: true
      - name: Inject slug/short variables
        uses: rlespinasse/github-slug-action@v4.4.1
      - name: Tailscale
        uses: tailscale/github-action@v1
        with:
          authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
      - name: Login to internal Container Registry
        uses: docker/login-action@v2.1.0
        with:
          username: ${{ secrets.TAILSCALE_DOCKER_USERNAME }}
          password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }}
          registry: registry.internal.huggingface.tech
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v4.3.0
        with:
          flavor: |
            latest=auto
          images: |
            registry.internal.huggingface.tech/api-inference/community/text-generation-inference/sagemaker
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
            type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}
      - name: Build and push Docker image
        uses: docker/build-push-action@v2
        with:
          context: .
          file: Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          platforms: 'linux/amd64'
          target: sagemaker
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`name: Build and push docker image to internal registry`

			`on:`
			`workflow_dispatch:`
			`push:`
			`branches:`
			`- 'main'`
feat(router): refactor API and add openAPI schemas (#53) 2023-02-03 04:43:37 -07:00			`tags:`
			`- 'v*'`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`pull_request:`
feat(ci): add ci paths (#134) 2023-03-23 11:01:30 -06:00			`paths:`
			`- ".github/workflows/build.yaml"`
			`- "server/**"`
			`- "proto/**"`
			`- "router/**"`
			`- "launcher/**"`
			`- "Cargo.lock"`
			`- "rust-toolchain.toml"`
			`- "Dockerfile"`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`branches:`
			`- 'main'`

feat(server): flash neoX (#133) 2023-03-24 07:02:14 -06:00			`concurrency:`
			`group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id }}`
			`cancel-in-progress: true`

feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`jobs:`
			`build-and-push-image:`
fix(docker): fix docker image (#184) 2023-04-14 09:31:13 -06:00			`runs-on: large-runner`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`permissions:`
feat(ci): faster scanning (#180) 2023-04-13 08:23:47 -06:00			`contents: write`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`packages: write`
			`# This is used to complete the identity challenge`
			`# with sigstore/fulcio when running outside of PRs.`
			`id-token: write`
fix(ci): fix ci permissions (#181) 2023-04-13 08:32:37 -06:00			`security-events: write`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`steps:`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`- name: Checkout repository`
			`uses: actions/checkout@v3`
feat(ci): improve CI speed (#94) 2023-03-03 07:07:27 -07:00			`- name: Initialize Docker Buildx`
			`uses: docker/setup-buildx-action@v2.0.0`
			`with:`
			`install: true`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`- name: Inject slug/short variables`
			`uses: rlespinasse/github-slug-action@v4.4.1`
			`- name: Install cosign`
			`if: github.event_name != 'pull_request'`
fix(ci): fix cosign error (#183) 2023-04-14 04:35:26 -06:00			`uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0`
			`with:`
			`cosign-release: 'v1.13.1'`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`- name: Tailscale`
			`uses: tailscale/github-action@v1`
			`with:`
			`authkey: ${{ secrets.TAILSCALE_AUTHKEY }}`
			`- name: Login to GitHub Container Registry`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`if: github.event_name != 'pull_request'`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`uses: docker/login-action@v2`
			`with:`
			`registry: ghcr.io`
			`username: ${{ github.actor }}`
			`password: ${{ secrets.GITHUB_TOKEN }}`
			`- name: Login to internal Container Registry`
			`uses: docker/login-action@v2.1.0`
			`with:`
			`username: ${{ secrets.TAILSCALE_DOCKER_USERNAME }}`
			`password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }}`
			`registry: registry.internal.huggingface.tech`
feat(ci): push to AML registry (#56) 2023-02-06 06:33:56 -07:00			`- name: Login to Azure Container Registry`
fea(dockerfile): better layer caching (#159) 2023-04-14 02:12:21 -06:00			`# if: github.event_name != 'pull_request'`
feat(ci): push to AML registry (#56) 2023-02-06 06:33:56 -07:00			`uses: docker/login-action@v2.1.0`
			`with:`
			`username: ${{ secrets.AZURE_DOCKER_USERNAME }}`
			`password: ${{ secrets.AZURE_DOCKER_PASSWORD }}`
			`registry: db4c2190dd824d1f950f5d1555fbadf0.azurecr.io`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`- name: Extract metadata (tags, labels) for Docker`
			`id: meta`
			`uses: docker/metadata-action@v4.3.0`
			`with:`
			`flavor: \|`
			`latest=auto`
			`images: \|`
			`registry.internal.huggingface.tech/api-inference/community/text-generation-inference`
fix(docker): fix docker image dependencies (#187) 2023-04-16 16:26:47 -06:00			`ghcr.io/huggingface/text-generation-inference`
feat(ci): push to AML registry (#56) 2023-02-06 06:33:56 -07:00			`db4c2190dd824d1f950f5d1555fbadf0.azurecr.io/text-generation-inference`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`tags: \|`
feat(router): refactor API and add openAPI schemas (#53) 2023-02-03 04:43:37 -07:00			`type=semver,pattern={{version}}`
			`type=semver,pattern={{major}}.{{minor}}`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}`
			`type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}`
			`- name: Build and push Docker image`
feat(ci): add Trivy and scan docker image (#178) 2023-04-13 07:43:17 -06:00			`id: build-and-push`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`uses: docker/build-push-action@v4`
feat(ci): Docker build and push (#46) 2023-01-31 12:14:05 -07:00			`with:`
			`context: .`
			`file: Dockerfile`
			`push: ${{ github.event_name != 'pull_request' }}`
			`platforms: 'linux/amd64'`
			`tags: ${{ steps.meta.outputs.tags }}`
			`labels: ${{ steps.meta.outputs.labels }}`
feat(ci): improve CI speed (#94) 2023-03-03 07:07:27 -07:00			`cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max`
feat: aws sagemaker compatible image (#147) The only difference is that now it pushes to registry.internal.huggingface.tech/api-inference/community/text-generation-inference/sagemaker:... instead of registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sagemaker-... --------- Co-authored-by: Philipp Schmid <32632186+philschmid@users.noreply.github.com> 2023-03-29 13:38:30 -06:00			`cache-to: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`# Sign the resulting Docker image digest except on PRs.`
			`# This will only write to the public Rekor transparency log when the Docker`
			`# repository is public to avoid leaking data.`
			`- name: Sign the published Docker image`
			`if: ${{ github.event_name != 'pull_request' }}`
			`env:`
			`COSIGN_EXPERIMENTAL: "true"`
			`# This step uses the identity token to provision an ephemeral certificate`
			`# against the sigstore community Fulcio instance.`
			`run: echo "${{ steps.meta.outputs.tags }}" \| xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}`
feat(ci): add Trivy and scan docker image (#178) 2023-04-13 07:43:17 -06:00			`- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph`
			`uses: aquasecurity/trivy-action@master`
			`if: ${{ github.event_name != 'pull_request' }}`
			`with:`
			`image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}'`
			`format: 'github'`
			`output: 'dependency-results.sbom.json'`
			`github-pat: ${{ secrets.GITHUB_TOKEN }}`
feat(ci): faster scanning (#180) 2023-04-13 08:23:47 -06:00			`scanners: 'vuln'`
feat(ci): add Trivy and scan docker image (#178) 2023-04-13 07:43:17 -06:00			`- name: Run Trivy vulnerability scanner`
			`uses: aquasecurity/trivy-action@master`
			`if: ${{ github.event_name != 'pull_request' }}`
			`with:`
			`image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}'`
			`format: 'sarif'`
			`output: 'trivy-results.sarif'`
			`severity: 'CRITICAL'`
feat(ci): faster scanning (#180) 2023-04-13 08:23:47 -06:00			`scanners: 'vuln'`
feat(ci): add Trivy and scan docker image (#178) 2023-04-13 07:43:17 -06:00			`- name: Upload Trivy scan results to GitHub Security tab`
			`uses: github/codeql-action/upload-sarif@v2`
			`if: ${{ github.event_name != 'pull_request' }}`
			`with:`
			`sarif_file: 'trivy-results.sarif'`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00
feat: aws sagemaker compatible image (#147) The only difference is that now it pushes to registry.internal.huggingface.tech/api-inference/community/text-generation-inference/sagemaker:... instead of registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sagemaker-... --------- Co-authored-by: Philipp Schmid <32632186+philschmid@users.noreply.github.com> 2023-03-29 13:38:30 -06:00			`build-and-push-sagemaker-image:`
			`needs:`
			`- build-and-push-image`
fea(dockerfile): better layer caching (#159) 2023-04-14 02:12:21 -06:00			`runs-on: ubuntu-latest`
feat: aws sagemaker compatible image (#147) The only difference is that now it pushes to registry.internal.huggingface.tech/api-inference/community/text-generation-inference/sagemaker:... instead of registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sagemaker-... --------- Co-authored-by: Philipp Schmid <32632186+philschmid@users.noreply.github.com> 2023-03-29 13:38:30 -06:00			`steps:`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`- name: Checkout repository`
			`uses: actions/checkout@v3`
feat: aws sagemaker compatible image (#147) The only difference is that now it pushes to registry.internal.huggingface.tech/api-inference/community/text-generation-inference/sagemaker:... instead of registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sagemaker-... --------- Co-authored-by: Philipp Schmid <32632186+philschmid@users.noreply.github.com> 2023-03-29 13:38:30 -06:00			`- name: Initialize Docker Buildx`
			`uses: docker/setup-buildx-action@v2.0.0`
			`with:`
			`install: true`
feat(ci): add image signing with cosign (#175) 2023-04-13 07:26:34 -06:00			`- name: Inject slug/short variables`
			`uses: rlespinasse/github-slug-action@v4.4.1`
fix(ci): fix sagemaker action (#148) 2023-03-29 14:27:01 -06:00			`- name: Tailscale`
			`uses: tailscale/github-action@v1`
			`with:`
			`authkey: ${{ secrets.TAILSCALE_AUTHKEY }}`
feat: aws sagemaker compatible image (#147) The only difference is that now it pushes to registry.internal.huggingface.tech/api-inference/community/text-generation-inference/sagemaker:... instead of registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sagemaker-... --------- Co-authored-by: Philipp Schmid <32632186+philschmid@users.noreply.github.com> 2023-03-29 13:38:30 -06:00			`- name: Login to internal Container Registry`
			`uses: docker/login-action@v2.1.0`
			`with:`
			`username: ${{ secrets.TAILSCALE_DOCKER_USERNAME }}`
			`password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }}`
			`registry: registry.internal.huggingface.tech`
			`- name: Extract metadata (tags, labels) for Docker`
			`id: meta`
			`uses: docker/metadata-action@v4.3.0`
			`with:`
			`flavor: \|`
			`latest=auto`
			`images: \|`
			`registry.internal.huggingface.tech/api-inference/community/text-generation-inference/sagemaker`
			`tags: \|`
			`type=semver,pattern={{version}}`
			`type=semver,pattern={{major}}.{{minor}}`
			`type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}`
			`type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}`
			`- name: Build and push Docker image`
			`uses: docker/build-push-action@v2`
			`with:`
			`context: .`
			`file: Dockerfile`
			`push: ${{ github.event_name != 'pull_request' }}`
			`platforms: 'linux/amd64'`
			`target: sagemaker`
			`tags: ${{ steps.meta.outputs.tags }}`
			`labels: ${{ steps.meta.outputs.labels }}`
			`cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max`